What am I Missing With This?

[Rick Curry]

I have an application that outputs its log in HTML format (grrr) and I need to extract some of the data from the events. The log data looks like this:

<tr bgcolor="tomato"><td>Jan 20<br>00:46:46.298</td><td>WebContainer : 74</td><td>N/A</td><td>N/A</td><td>ERR</td><td>CAbsServlet.doPost(333)</td><td>Invalid request: Remote host: 9.9.9.9 Meta Data: [Function Name: PingToServer, Login Session ID: 1344865, Call ID: 0]. Error: The session authentication has failed..</td></tr>

I want to extract the date/time (which I have highlighted in the first line of this event). Using rex I came up with the following that extracts these two items as 'event_date' and 'event_time':

(?i)<td>(?<event_date>.+?)<br>\d+:

(?i)<br>(?<event_time>[^<]+)

But when I put those into a props.conf file, these field extractions do not show up. The props.conf looks like this:

[web]
BREAK_ONLY_BEFORE = \<tr
SHOULD_LINEMERGE = true
EXTRACT-event_date = (?i)<td>(?<event_date>.+?)<br>\d+:
EXTRACT-event_time = (?i)<br>(?<event_time>[^<]+)

What am I missing that is preventing this from working?

 

I appreciate your time and input on this inquiry.

 

Rick

 

[Splunk Dallas]

You might need to escape out < and > chars with a backslash so that the Rex sees those as literal chars. 

Thanks,

-maverick

--